Cyber Incident Victim: Spotswood Public Schools

Spotswood Public Schools in New Jersey experienced a ransomware incident on September 11, 2021. The district, represented by law firm Baker & Hostetler, disclosed the event through a notification to the Maine Attorney General’s Office, though key operational details remained unspecified. Public reporting did not clarify the exact discovery timeline, whether systems were functionally impaired, or if data was encrypted by attackers. The district’s notification omitted identifying the threat actors or confirming if student data was compromised alongside employee information. On October 27, 2021, Spotswood determined that personal information belonging to one Maine resident was involved, triggering the state-mandated disclosure. This revelation confirmed that 424 individuals—all employees—were impacted by the breach, with exposed data including names combined with Social Security numbers, driver’s license numbers, or financial account details.

The district initiated response measures by contracting Kroll to provide affected individuals with one-year credit monitoring, fraud consultation, and identity theft restoration services. Notification letters were scheduled for mailing, with conflicting dates cited in documentation: the Maine Attorney General filing referenced November 28, while an attachment suggested November 18, 2021. Spotswood did not publish a public statement on its website regarding the incident, prompting external inquiries from media outlets seeking clarification on student involvement. No immediate replies were provided to these requests. The limited disclosure left critical aspects of the attack unresolved, including the scope of exfiltrated data, operational recovery timelines, and whether ransom demands were issued or paid.